{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1562.004 - Impair Defenses: Disable or Modify System Firewall",
    "\n",
    "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. "
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Disable iptables firewall\nDisables the iptables firewall\n\n**Supported Platforms:** linux\n#### Attack Commands: Run with `sh`\n```sh\nif [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"6\" ];\nthen\n  service iptables stop\n  chkconfig off iptables\n  service ip6tables stop\n  chkconfig off ip6tables\nelse if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"7\" ];\n  systemctl stop firewalld\n  systemctl disable firewalld\nfi\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.004 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Disable Microsoft Defender Firewall\nDisables the Microsoft Defender Firewall for the current profile.\nCaution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nnetsh advfirewall set currentprofile state off\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.004 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall\nAllow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles.\nCaution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nnetsh advfirewall firewall set rule group=\"remote desktop\" new enable=Yes\nnetsh advfirewall firewall set rule group=\"file and printer sharing\" new enable=Yes\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.004 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - Opening ports for proxy - HARDRAIN\nThis test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.\n\nreference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nnetsh advfirewall firewall add rule name=\"atomic testing\" action=allow dir=in protocol=TCP localport=450 \n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.004 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - Open a local port through Windows Firewall to any profile\nThis test will attempt to open a local port defined by input arguments to any profile\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `powershell`\n```powershell\nnetsh advfirewall firewall add rule name=\"Open Port to Any\" dir=in protocol=tcp localport=3389 action=allow profile=any```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1562.004 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Monitor processes and command-line arguments to see if firewalls are disabled or modified. Monitor Registry edits to keys that manage firewalls."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}